Netgate 2100 - setup question
-
@rcoleman-netgate on the LAN firewall (192) BLOCK IoT (172) and this must be the FIRST rule. Have I got it right? On drop down there are two options IOTP4 address and IOTP4 net - which one to select as source
Below correct?
-
@netboy That will only block HTTP and HTTPS but not Ping or DNS
Set the traffic to ANY type, not TCP.
And, as I said, IOT Network, not IOT Address :)
-
@rcoleman-netgate
Is this correct? The order ok?
-
@netboy Needs to be IOTP4 Network, not address.
-
-
@netboy Should be. Plug into the IOTP4 network and try to access anything on the LAN network (pf GUI on that IP, ping, etc.)
it should block, and when you come back the
0 / 0 Bin the states column should increment.
-
@rcoleman-netgate Did not work - please see screen shot below
-
Automatically Select == use the network based on the IP you're pinging. Switch that to "IOTP4"
-
Able to ping after pointing source address to IOTP4
-
You should move that rule from the LAN interface to the IOTP4 interface.
Connections are opened from there and that's where they need to be blocked.
You probably also want the destination to be LANnet so that all hosts in the LAN subnet are blocked.
I would also choose to use a reject rule rather than block there so that clients on the IOTP4 subnet see the connection as refused imediately rather than having to timeout. It just makes failures easier to handle for devices mistakenly trying to access LAN.You need to test it from a device on the IOTP4 subnet so that the traffic goes through the IOTP4 firewall rules.
Steve
-
This post is deleted! -
-
That will work. I would set the protocol to 'any' though to include ping etc.
-
-
Yeah, you have to test from a device in the IOP4 subnet. Pings generated from pfSense itself do not get filtered by those firewall rules. Only outbound rules would be applied and by default everything is allowed outbound.
Steve
-
-
@netboy Able to ping from 192 subnet to 172
I think I have to thank everybody in this forum. Netgate 2100 Max is a fantastic router though pricey.
I shall seek further help if need be.
Thank you everybody
-
@netboy I am documenting below "how I made my printers work over the network in windows 10"
My printers are in 172.16.0.XXX subnet and my computers are in 192.168.0.XXX subnet. 192.168.0.XXX can talk to (ALLOW) 172.16.0.XXX but not vice versa.
The first thing I did was connected my computer to 172 subnet and configure the printers.
I then connected my computers to 192 subnet and used the windows tool to configure TCP/IP printers and gave the "static" IP address of the printers and it worked.
-
@netboy I am back! I have one problem. Let me explain.
My NAS has 2 NIC's one on 192.168.0.XXX (PvT) subnet & another172.16.0.XXX (IoT) subnet.
Now I want to:
-
Create a GROUP with a List of MAC address that are in my 172.16.0.XXX (IoT) subnet hat can access my NAS (which is also in 172.16.0.XXX (IoT) ) [ MACgroupAllow ]
-
Firewall rule : ALLOW MACgroupAllow access to my NAS MAC XX.XX.XX.XX and
-
BLOCK all traffic within my subnet 172.16.0.XXX (IoT) in accessing my NAS MAC XX.XX.XX.XX
This is my existing firewall rules in IoT subnet
Does it make sense? I am not sure I have explained my functionality well .
-
-
That would need to be done on the NAS dircetly. Traffic between clients on the IoT subnet and the NAS IP address also in the IoT subnet does not go through pfSense, it just goes directly. So pfSense cannot filter it.
With that said pfSense is a layer 3 firewall so filtering MAC addresses (layer 2) is not something it's is setup to do. You can do something like that by setting fixed dhcp leases for each MAC and then filtering by those IPs. But only for traffic passing the firewall.
Steve
